Plex Port Forwarding not working what am I doning wrong

pexie · May 8, 2026, 8:10pm

After browsing this form and Redit, trying what everyone does it still does not work and I’m kinda going crazy.

Setup:

MikroTik hEX S (Router OS: 6.49.17)
Fiber both ways
Confirmed with ISP they are not blocking ports or acting as a router
Yes I do have a public IP
Port is not opening up
I know you are not post to need a filter rule but I am trouble shooting
Yes I have set the NAT via quick set and manual
Plex is set to port 32400 manually (says it can get out from the local plex web page, but plex website offnetwork can’t reach it)
Tried on alternative ports to see if it was in use despite network tools saying otherwise but same result.
NAT:

add action=dst-nat chain=dstnat comment="Plex Port Forwrad" dst-port=32400
protocol=tcp to-addresses=192.168.88.10 to-ports=32400

Filter rules:

add action=accept chain=forward comment="Plex Port Forward Filter"
connection-nat-state=dstnat dst-address=192.168.88.10 dst-port=32400
in-interface-list=WAN port="" protocol=tcp src-address=
src-port=32400
I’ve had port forwarding working on other routers, and when I plug in my mini WRT router it works fine, but for some reason MikroTik is just not clicking for me.

jvanhambelgium · May 8, 2026, 8:21pm

For the NAT statement, remove the “to-ports” field value

For the Filter, I actually have 1 generic rule to allow packets with the “dnat" flag set (so “connection-nat-state=dnat). Try this, remove all other junk with the dst-ip & dst-port and src-port values

This should work. I have it working for years across dozens of RouterOS releases and never failed on me.

Also enable LOGGING and SEE if you see anything fly by the moment you hit the DNAT

anav · May 8, 2026, 9:12pm

I see one problem but I dont help unles you provide the config for completeness as many items are interrelated and its probably a multiple of issues.

/export file=anynameyouwish ( minus router serial number, any public WANIP information, keys, dhcp lease lists )

pexie · May 9, 2026, 1:05am

okie here you go

may/08/2026 15:15:09 by RouterOS 6.49.17

model = RB760iGS

/interface bridge
add admin-mac=78:9A:18:63:E8:7B auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.50-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=
192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.10 mac-address=CC:28:AA:53:11:1A server=defconf
add address=192.168.88.17 client-id=1:18:8b:e:35:41:84 mac-address=
18:8B:0E:35:41:84 server=defconf
add address=192.168.88.6 client-id=1:c:ef:15:f5:ce:24 mac-address=
0C:EF:15:F5:CE:24 server=defconf
add address=192.168.88.13 mac-address=F0:A7:31:C4:11:B4 server=defconf
add address=192.168.88.12 client-id=1:ec:71:db:74:67:4f comment=
"Camera Garage" mac-address=EC:71:DB:74:67:4F server=defconf
add address=192.168.88.5 client-id=1:d8:44:89:a3:3:48 mac-address=
D8:44:89:A3:03:48 server=defconf
add address=192.168.88.9 client-id=1:20:f8:3b:1:e6:8 mac-address=
20:F8:3B:01:E6:08 server=defconf
add address=192.168.88.37 mac-address=C8:C9:A3:16:7F:1D server=defconf
add address=192.168.88.50 client-id=1:ec:71:db:bc:fe:1d comment=
"Camera Patio" mac-address=EC:71:DB:BC:FE:1D server=defconf
add address=192.168.88.51 client-id=1:38:8d:3d:6d:3:48 comment=
"Sony Bravia TV" mac-address=38:8D:3D:6D:03:48 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Plex Port Forward Filter"
connection-nat-state=dstnat in-interface=ether1 log=yes log-prefix=
"PLEX DSNAT"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex Port Forwrad" log=yes
log-prefix=PLEX protocol=tcp src-port=32400 to-addresses=192.168.88.10
to-ports=32400
/system clock
set time-zone-name=America/Denver
/system identity
set name=Tron
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LA

pexie · May 9, 2026, 1:05am

ok If I read your comment right this is how you have NAT and Filters setup:

NAT
add action=dst-nat chain=dstnat comment="Plex Port Forwrad" log=yes log-prefix=PLEX protocol=tcp src-port=32400 to-addresses=192.168.88.10 to-ports=32400

Filter
add action=accept chain=forward comment="Plex Port Forward Filter" log=yes log-prefix=”PLEX DSNAT”
connection-nat-state=dstnat in-interface-list=WAN

So I can see the Filter in logs but not the NAT. when I try to connect plex. I see nothing if I hit my publicIP:32400 in logs

rplant · May 9, 2026, 2:09am

This should very likely be dst-port=32400, not src-port=32400.

Also, commonly would have the condition: in-interface-list=WAN
Though not if attempting to hairpin nat, in which case you need slight additional configuration.

jvanhambelgium · May 9, 2026, 5:24am

remove the src-port=32400 value ! When I export my DNAT rule it looks like :

add action=dst-nat chain=dstnat comment="PLEX DNAT TCP" dst-address-list=WAN_IP dst-port=32400 log=yes log-prefix=IP4-DNAT-TCP-PLEX protocol=tcp to-addresses=192.168.X.Y

anav · May 9, 2026, 11:41am

Three things I would do,

a. change these rules in the forward chain:
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Plex Port Forward Filter"
connection-nat-state=dstnat in-interface=ether1 log=yes log-prefix=
"PLEX DSNAT"

TO:
add action=accept chain=forward comment=”internet traffic” \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=”port forwarding” \
connection-nat-state=dstnat
add action=drop chain=forward comment=”drop all else”

AND

b. modify your dstnat rule………….

add action=dst-nat chain=dstnat comment="Plex Port Forwrad" log=yes
log-prefix=PLEX protocol=tcp **dst-**port=32400 to-addresses=192.168.88.10
in-interface-list=WAN

Normally this would suffice, but in your case we have to take into account that you MAY have local users on the same LAN. If they also use the server then we need to make additional steps. If you only have external users you can ignore the rest.

the server and users of the server are in the same LAN and thus you have a Hairpin nat scenario, with many ways to approach.

A quick solution is to first implement the needed hairpin nat rule.
add chain=srcnat action=masquerade dst-address=192.168.88.0/24 src-address=192.168.88.0/24

Second, to ensure the dstnat rule captures both external and internal users (we already modified the firewall rule for port forwarding into something that allows both in the above first solution piece), we need to turn the in-interface-list=LAN into a more accurate attempt at reaching the WANIP, as if the WANIP was a fixed static IP. We dont need an external dyndns site as we have our own through IP cloud!!

/ip firewall address-list
add mynetname.net list=myWAN

Then we modify the dstnat rule.

add action=dst-nat chain=dstnat comment="Plex Port Forwrad" log=yes
log-prefix=PLEX protocol=tcp dst**-**port=32400 to-addresses=192.168.88.10
dst-address-list=myWAN

pexie · May 10, 2026, 6:34pm

Thank you that seems to have worked. Still testing a bit but seems to be working.

anav · May 10, 2026, 7:29pm

If you want to double check post latest config for review.